Hacking, Fate-Sharing and Going Dark

It is with deliberate contempt that I describe vendors of “lawful” interception malcode such as Hacking Team, FinFisher, and NSO group as ascribing to the “Wehrner von Braun School of Rocketry”. They state that selling exclusively to governments frees them from responsibility as to how the tools are misused, on the assumption that all state use abides by the laws of the jurisdiction. But tool misuse by state actors has implications beyond any particular jurisdiction. That's in part because of negative “fate-sharing”, where the legitimate investigations of certain states and entities can be compromised by actual or even potential misuse of the tools by licensed third parties.

We have no way of knowing which of the 100 removed installations represented abusive use, which represented testing, and which disrupted significant ongoing investigations. Google absolutely did the right thing by disabling this malware, but the potential collateral damage is significant and does highlight the limitations of hacking to access otherwise inaccessible communication.

This introduces a particular problem for law enforcement. If law enforcement relies on the same tools used by rather repressive regimes, its ongoing investigations can be compromised by the actions of those regimes. For example, when the UAE got caught attacking Ahmed Mansoor with NSO-group spyware, this potentially compromised an unknown number of other investigations relying on the same tools. And given the shady nature of these companies it made perfect sense for Google to do the same for the Lipizzan malcode.

This isn’t to discourage law enforcement from hacking in accordance with the appropriate judicial safeguards. I still think it is the best option available for investigations where prospective content is essential in the face of modern secure communication. But it is important to remember that hacking tools can be particularly brittle, and tools which are also used by less reputable actors can be significantly more brittle.

Nicholas Weaver is a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, and a lecturer in the Computer Science department at the University of California at Berkeley. All opinions are his own.